Confined user mapped to sysadm_t cannot see the content of /etc/shadow file even after sudo'ing

Solution Verified - Updated -

Issue

  • When a user is mapped onto sysadm_u SELinux user, it's not possible to read or query the content of /etc/shadow

    $ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

$ sudo getent shadow
<nothing returned at all>

$ sudo -r sysadm_r getent shadow
<nothing returned at all>

$ sudo -i
# getent shadow
<nothing returned at all>

  • No AVC is seen in the audit log

Environment

  • Red Hat Enterprise Linux 7 and later
    • sudo
    • getent
    • confined users mapped to sysadm_u

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content